AWS Organizations and Consolidated Billing

Account Management Service

What are AWS Organizations?

AWS Organization

Let’s understand some core terminology:

  1. Organization: An overall entity which holds all your AWS account.
  2. Root Account: Parent account for all your account. You can have only one root account and it is created when you create an organization.
  3. Organization Unit: A container for an account within the root account. An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree.
  4. Account: A standard AWS account which contains your AWS resources. We can create a new account in an organization or we can invite other accounts to join an organization.
  5. Service control policy (SCP): A policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects.

Why use AWS Organizations?

  1. Centralized management of all of your AWS accounts
  2. Consolidated billing for all member accounts
  3. Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs
  4. Control over the AWS services and API actions that each account can access
  5. Integration and support for AWS Identity and Access Management (IAM)

How to create AWS Organizations and member accounts?

  1. Login to your root account and start with an organization. Tip: you will not find “AWS Organization” under the services. Look right-hand side for “Helpful tips”.

To access the accounts in your organization, you must use one of the following methods:

  1. The account has a root user that you can use to sign in. AWS recommends that you use the root user only to create IAM users, groups, and roles, and then always sign in with one of those. Tip: When login using root account you have to do reset your password using “Forget your password”. This will actually generate your password which will be used to login to the new account as a root user.
  2. If you create an account in your organization, you can access the account by using the preconfigured role that exists in all new accounts that are created this way. AWS Organizations gives the role a default name of OrganizationAccountAccessRole.
  3. If you invite an existing account to join your organization, and the account accepts the invitation, you can then create an IAM role that allows the master account to access the invited account, similar to the role automatically added to an account that is created with AWS Organizations.

Managing Organization Policies

  1. A root. A policy applied to a root applies to all accounts in the organization.
  2. An OU. A policy applied to an OU applies to all accounts in the OU and to any child OUs.
  3. An account. A policy applied to an account applies only to that one account.

Thanks for reading 👍🏻




Cloud Solution Architect at Walmart Japan

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Setting up a C++/Python project with pybind11 and CMake

Caching Miniconda Packages to Speed up Bitbucket Pipelines

Composable Commerce: Everything You Need to Know

#44 Fallacy of Sunken Code

#1 Reason why other Web Developers ask me for help!

Ton Tran pointing at a CSS3 logo.

Manual Work, Knowledge Work and Emotional Work

Filling the gaps in CQRS and Event Sourced systems: taxonomy of system components

How to create simple WebAssembly 2D game using Go

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bhargav Shah

Bhargav Shah

Cloud Solution Architect at Walmart Japan

More from Medium

Automating Prowler for Compliance Checking in AWS

Reuse CloudFormation with mappings & config

An Intro to AWS DataSync

AWS — API Gateway and its use cases